New zero-day hole in Word
After the recent Patch Tuesday, Windows users thought that Microsoft Office had finally been made secure. Unfortunately, documents have already popped up that exploit a previously unknown security hole in the word-processing program to inject malicious code. Microsoft says that attacks in which such a manipulated document was used have been limited and specifically targeted.
The software vendor did not provide any details on the security hole but merely stated that a specially prepared string in a Word document allows areas of memory to be overwritten; in the process, malicious code can be injected. In its security advisory, Microsoft recommends that users stay away from documents from untrustworthy sources. The security hole affects Word in Office 2000 and Office XP; according to Microsoft's advisory, it cannot be exploited in Office 2003, 2007 and Word Viewer 2003.
Developers are already working on an update to close the hole. To be on the safe side until a patch has been made available, users of the affected versions of Word should at least ask the sender of unsolicited Word documents whether they actually sent the message, such as by calling the sender on the phone. Users can also open such documents in Word Viewer.
- Vulnerability in Microsoft Word Could Allow Remote Code Execution, Microsoft's security advisory